Scenario 15

BIMI Root and Subdomain Sender Configuration Scenario: Gmail Confirmation Pattern

This scenario covers how a regulated-industry sender configured BIMI records for both a root domain and an active sending subdomain, and what DNS structure is required to support BIMI evaluation on messages sent from subdomains.

Anonymization & Privacy Notice

To safeguard client confidentiality, this scenario is adapted from a real VMCCerts technical support case but has been fully anonymized. All brand names, proprietary domains, and unique cryptographic strings have been altered or omitted. The underlying technical challenges and VMC/BIMI validation solutions remain 100% authentic.

Scenario Snapshot

Organization typeRegulated-industry sender using both a root domain and a subdomain for outbound email
Industry categoryFinancial services / insurance
GoalDeploy BIMI across both the root domain and active sending subdomain to display the verified logo in Gmail
Starting pointVMC issued for the root domain; sender also sends from a subdomain and needed to understand whether a separate BIMI record was required
Main blockerUncertainty about whether the root domain BIMI record would cover the subdomain, or whether a separate BIMI TXT record was needed for the subdomain
Certificate pathSectigo Verified Mark Certificate
VMCCerts guidanceRoot vs subdomain BIMI record structure, subdomain DNS setup, Gmail evaluation behavior explanation
OutcomeBoth root domain and subdomain BIMI records published; Gmail logo display confirmed after setup
Best lessonA BIMI record on the root domain does not automatically cover sending subdomains — a separate record is required for each subdomain that sends mail

The Starting Point

The organization had a VMC issued and a BIMI record published on the root domain. Outbound marketing and transactional emails were also sent from a subdomain, and the sender wanted to know whether a second BIMI record on the subdomain was needed or whether the root-domain record would apply automatically to messages sent from the subdomain.

The Implementation Challenge

BIMI evaluation by Gmail and other mailbox providers is based on the domain in the email’s From address. When a message is sent from a subdomain, Gmail queries the BIMI record at default._bimi.subdomain.example.com, not at default._bimi.example.com. A root-domain BIMI record does not automatically cascade to subdomains for BIMI purposes — each sending subdomain needs its own BIMI TXT record pointing to the hosted logo and certificate files. It helps to confirm exactly where each BIMI TXT record needs to be published before adding a subdomain record.

# Root domain BIMI record — covers mail sent from root domain only
default._bimi.example.com  TXT  "v=BIMI1; l=https://…/logo.svg; a=https://…/cert.pem"
# Subdomain BIMI record — required for mail sent from mail.example.com
default._bimi.mail.example.com  TXT  "v=BIMI1; l=https://…/logo.svg; a=https://…/cert.pem"
# Both records can point to the same hosted logo and certificate files

How VMCCerts Guided the Process

VMCCerts explained the Gmail BIMI evaluation lookup behavior for subdomains, confirmed that a separate BIMI TXT record was required on the subdomain, and provided the exact DNS record format for the subdomain. Both records — root domain and subdomain — were configured to point to the same hosted logo SVG and certificate PEM files, which is acceptable when the same certificate covers the sending identity. VMCCerts also confirmed DMARC enforcement on both the root domain and subdomain before the second record was published, and verified that the issued VMC covered every sending identity in use across both domains.

The Outcome or Clarified Path

Both BIMI records were published and DMARC enforcement was confirmed on both the root domain and subdomain. Gmail logo display was confirmed after the subdomain record was in place. The deployment confirmed that both the root domain and subdomain show the same verified brand logo in Gmail for recipients receiving messages from either address. Reviewing how Gmail evaluates each sending domain’s BIMI record independently helps explain why both records were needed.

What Similar Brands Can Learn

  • A root-domain BIMI record does not cascade to sending subdomains — each subdomain that sends mail needs its own BIMI TXT record.
  • BIMI evaluation is based on the From address domain — Gmail queries the BIMI record for the exact domain or subdomain in the From field.
  • Both root-domain and subdomain BIMI records can reference the same hosted logo and certificate files when the certificate covers the organization’s sending identity.
  • DMARC enforcement must be confirmed at the subdomain level as well as the root domain before the subdomain BIMI record is published.
  • Senders using subdomains for transactional or marketing mail should confirm BIMI DNS coverage for each active sending subdomain.

When to Contact VMCCerts

If you send email from both a root domain and one or more subdomains and want BIMI logo display across all sending addresses, contact VMCCerts to confirm the DNS record structure required for each sending subdomain. Senders can get that subdomain review directly from a BIMI implementation specialist.

Sending from subdomains and not seeing BIMI logo display?
VMCCerts can confirm whether your subdomain has a BIMI TXT record and whether DMARC enforcement is in place — both are required for subdomain logo display.